This invention relates to a security control system to thwart malware, and in particular, to a security control system for protecting multi-core processors from malware.
Malware subverts normal program execution and gains control of a computer, sometimes even with escalation of priority (i.e., becoming root).
Any computer program needs two types of memory segments (i.e., the code and data segments) for its execution. The code segment holds the instructions to direct a processor's computation, while the data segments keep the interim computation results to carry on the program's execution. Cyber-attacks tamper both the code and data segments to subvert computer systems. Computer viruses are a well-known example, which often modify a victim program's code segment and inserts a malicious code to the victim program. Existing solutions, such as memory write protection, code signing, and anti-virus software, provide methods to preserve the integrity of the code segment. Attackers, however, can still subvert a normal program's execution by tampering with only the data segment.
In normal execution, a processor will fetch an instruction, and while the instruction is being executed, the processor will fetch the next instruction from the address immediately after. From time to time, normal program execution forces the program to “jump” to another address altogether and continue from this point. Besides that, execution can be deviated by “calling a subroutine”, a process in which the processor saves the returning address of the next instruction before jumping to execute elsewhere. At the end of the subroutine, the processor “returns” by retrieving the address that was stored before. A similar process to this one is used to perform “interrupts”. An interrupt is a way to tell the processor that it has to do something else before it continues its execution. In that case, the return address is also stored before the interrupt is served, but in this case, the address to jump is not present on the instruction, since the instruction being executed does not necessarily know an interrupt must be served. In this case, the address that “serves” the interrupt is stored in a table.
A common manner in which malware subverts this normal operation, is by replacing the return address for subroutines or by replacing the service address on interrupts. The return addresses for subroutines are stored on the “stack”, a structure in memory that holds the return address, the subroutine parameters, and the local variables of the subroutine to be executed. The fact that the variables are stored at the same structure as the return address creates the famous buffer overflow problem, where the hackers can modify the return address by “writing” beyond the variables reserved space. Reaching the service space of the interrupt is a bit more complicated, since many of the required instructions are protected but there are equivalent “clever” ways to overcome these defenses.
These are not the only way to perform the “attack”, only an example of the methods, but all the methods reside on thwarting the mechanisms by modifying either the “jump” or the “return” addresses (sometimes both).
Corresponding reference characters indicate corresponding parts as set forth in the specification. Although the drawing represents an embodiment of the present invention, the drawing is not necessarily to scale and certain features may be exaggerated in order to better illustrate and explain the present invention. The exemplification set out herein illustrates embodiments of the invention, and such exemplifications are not to be construed as limiting the scope of the invention in any manner.